Advice Request Found a PUP: C:\Windows\n.exe

Please provide comments and solutions that are helpful to the author of this topic.

SeriousHoax

Level 47
Thread author
Well-known
Mar 16, 2019
3,630
This morning all on a sudden I was notified by WD with this detection for a file in the Windows folder.
C:\Windows\n.exe
n exe.PNG
This is the sample: VirusTotal

Thankfully it's not a malware, it's a PUP/Riskware which probably hide file attributes.
The relation chart on VT shows relation to uTorrent, KMS and some other unknown setup files. I'm not using any of those program on my system nor any cracked program. Have no idea how it came to be.
After deleting this is what WD shows as affected items.
n exe 2.PNG
Ignore the second one in K: directory because I manually copied it there to keep a copy of the sample.
So the affected items are:

"C:\Windows\n.exe"
"file: \\localhost\C$\Windows\n.exe"

I don't know what the last one means. Anyone knows anything about this PUP?
 

SeriousHoax

Level 47
Thread author
Well-known
Mar 16, 2019
3,630
It seems just the NirSoft tool:

Looks like some application use this tool do somethings in the background. Since even @venustus has it, I'm guessing we use or have used that particular application :unsure:
 

Freud2004

Level 10
Verified
Well-known
Jun 26, 2020
440
Looks like some application use this tool do somethings in the background. Since even @venustus has it, I'm guessing we use or have used that particular application :unsure:

Maybe this one (COMODO RSA):

Vendor and version information [?]​

The following is the available information on n.exe:
Product version1.0.0.465
File version1.0.0.465
Here's a screenshot of the file properties when displayed by Windows Explorer:

Product version1.0.0.465
File version1.0.0.465

Digital signatures [?]​

n.exe has a valid digital signature.
Signer nameOOO "SOLVO.LOG"
Certificate issuer nameCOMODO RSA Code Signing CA
Certificate serial number00bf908b9311068039d904cb4a73b8ba
 

SeriousHoax

Level 47
Thread author
Well-known
Mar 16, 2019
3,630
Maybe this one (COMODO RSA):

Vendor and version information [?]​

The following is the available information on n.exe:
Product version1.0.0.465
File version1.0.0.465
Here's a screenshot of the file properties when displayed by Windows Explorer:

Product version1.0.0.465
File version1.0.0.465

Digital signatures [?]​

n.exe has a valid digital signature.
Signer nameOOO "SOLVO.LOG"
Certificate issuer nameCOMODO RSA Code Signing CA
Certificate serial number00bf908b9311068039d904cb4a73b8ba
I checked again. It's not this one. It's the one @harlan4096 shared.
1.PNG
 

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
656
This is the full code of the application.
nircmd.png

It starts a process, which has to be given as argument, without showing a window. It's not malware. It's just something that might be abused to run a program silently, e.g., a setup

This file has not much in common with the official NirCmd. I downloaded the official one here NirCmd - Windows command line tool
So, well notet by @TairikuOkami

There is a debug path inside this file:
C:\Users\Alpha\source\repos\nircmdc\nircmdc\obj\Release\nircmdc.pdb
If you search for this string you will find a hybrid-analysis run of uTorrent and one any.run analysis on the file itself.

This indicates that it hasn't been seen in malware yet.
I wouldn't be too worried about it.
 

Coldblackice

New Member
Feb 14, 2015
2
This is the full code of the application.
View attachment 250329
It starts a process, which has to be given as argument, without showing a window. It's not malware. It's just something that might be abused to run a program silently, e.g., a setup

This file has not much in common with the official NirCmd. I downloaded the official one here NirCmd - Windows command line tool
So, well notet by @TairikuOkami

There is a debug path inside this file:
C:\Users\Alpha\source\repos\nircmdc\nircmdc\obj\Release\nircmdc.pdb
If you search for this string you will find a hybrid-analysis run of uTorrent and one any.run analysis on the file itself.

This indicates that it hasn't been seen in malware yet.
I wouldn't be too worried about it.
Thanks. How did you get it broken down like that? Is that from IDA?
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top